I do not think this is a bug. The problem is that you have added a security constraint to your LoginErrorPage.jsp page. The container is behaving exactly as you have asked it to. If you do not want your LoginErrorPage.jsp covered by this constraint then you should remove it.
Also, the servlet run-as element specifies a role the servlet takes on when it is executing. This does not cover the role a principal must have to access the servlet.
Hope this helps clearify things, cgriffith